Merikbest Ecommerce Spring Reactjs File Upload Path Traversal Vulnerability

A critical path traversal vulnerability has been identified in the Merikbest Ecommerce Spring Reactjs application, in versions prior to the commit 464e610bb11cc2619cf6ce8212ccc2d1fd4277fd. The issue arises in the File Upload Endpoint, specifically within the '/api/v1/admin/' route. The vulnerability allows for manipulation of the 'filename' argument, potentially leading to unauthorized access to files on the server. This vulnerability can be exploited remotely.

Impact

Exploitation of this vulnerability allows for path traversal, which could lead to unauthorized file access on the server.

Reproduction

The vulnerability can be reproduced by sending a request to the '/api/v1/admin/' endpoint with a crafted 'filename' argument that includes path traversal sequences. This will bypass normal file upload restrictions and access files outside the intended directory.